Ubuntu 26.04 ships APT 3.1.16, a significant step forward for the package manager that underpins every Debian-based system. Whether you are upgrading from Ubuntu 24.04 LTS or arriving fresh, the new APT 3.1 features on Ubuntu 26.04 include a smarter default dependency solver, new diagnostic commands, repository-level package filtering, and tightened cryptographic policies. This article walks through every user-facing change so you can take full advantage of the improvements and avoid potential migration pitfalls.
Table of Contents
In this tutorial you will learn:
- Which APT version Ubuntu 26.04 ships and how it relates to upstream Debian
- How solver3 changes dependency resolution behavior on Ubuntu
- How to use the new
apt whyandapt why-notdiagnostic commands - How to filter repository packages with the new Include and Exclude options
- Why DEB822 is now the default source format and what it looks like
- What keyring filename restrictions and cryptographic cutoffs mean for third-party repositories
Software Requirements
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu 26.04 Resolute Raccoon |
| Software | APT 3.1.16 |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
apt why / apt why-not diagnostic commands, and repository-level Include / Exclude package filtering. The DEB822 .sources format is now the default, and stricter keyring filename rules may break third-party repositories that use special characters such as @ in key filenames.
| Step | Command/Action |
|---|---|
| 1. Check APT version | apt --version |
| 2. Confirm solver3 is active | apt-config dump | grep -i solver |
| 3. Trace a package decision | apt why bash |
APT Version Shipped with Ubuntu 26.04
Ubuntu 26.04 Resolute Raccoon ships APT version 3.1.16, which you can confirm on your own system by running:
$ apt --version
The output will show:
apt 3.1.16 (amd64)
This version is a direct Debian sync, meaning the package carries no Ubuntu-specific suffix (such as ubuntu1). You can review the full history of changes in the upstream APT changelog. Earlier in the 26.04 development cycle, Ubuntu did maintain its own delta builds (for example, 3.1.6ubuntu1 and 3.1.8ubuntu1) that added features like architecture-variant support and solver behavior tweaks. Those changes were later absorbed upstream, and the final release pocket received the clean Debian-synced 3.1.16 on 2026-02-20, just after the Feature Freeze date.
WHAT CHANGED SINCE UBUNTU 24.04 LTS
Ubuntu 24.04 LTS (Noble Numbat) shipped APT 2.7.14. The jump to APT 3.1.16 in Ubuntu 26.04 therefore spans two major release series (3.0 and 3.1), bringing a substantial set of new features and behavioral changes covered in this article.
Solver3 Is Now the Default on Ubuntu 26.04
One of the most significant APT 3.1 new features on Ubuntu 26.04 is that the “3.0 solver” (commonly called solver3) is now the default dependency resolver for all apt CLI operations. You can verify this with:
$ apt-config dump | grep -i solver
The output confirms:
APT::Solver "3.0"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Version::1.21::APT::Solver "3.0"; Version::2.11::APT::Solver "3.0"; Version::3.1::APT::Solver "3.0";
The solver3 engine represents a ground-up rewrite of APT’s dependency resolution logic. It uses a SAT-solver-inspired approach with unit propagation, which produces faster and more predictable results than the classic resolver. In practical terms, this means:
- Smarter dependency decisions. Solver3 better preserves the order of alternatives in dependency groups and handles complex conflict scenarios more reliably.
- More aggressive autoremove. The new solver only tracks the strongest dependency chain for each package. Consequently,
apt autoremovemay flag packages that the classic solver previously kept because they were reachable through weaker chains. - Upgrade by source package. Added in APT 3.1.16, this improvement groups related binary packages from the same source and upgrades them together, reducing partial-upgrade states.
- Automatic fallback. If solver3 fails to find a solution, APT automatically falls back to the classic internal solver and reports both outcomes, so you are never left without a resolution path.
IMPORTANT
This is a vendor-specific default. Ubuntu enables solver3 by default, while Debian may still use the classic solver depending on the release. If you encounter unexpected behavior during upgrades, you can temporarily revert to the old solver with --solver internal on any apt command.
New Commands: apt why and apt why-not
APT 3.1 introduces two new diagnostic subcommands that help you understand why the solver made a particular decision. These are conceptually similar to the aptitude why and aptitude why-not commands, but operate natively within apt using solver3’s decision trace.
apt why
The apt why command explains why a given package is selected for installation:
$ apt why bash
Output:
bash:amd64 is selected for install
This tells you that bash is directly marked for installation (in this case as an essential package). For packages pulled in as dependencies, the output traces the dependency chain that led to the decision.
apt why-not
Conversely, apt why-not explains why a package is not being installed:
$ apt why-not vim
Output:
vim:amd64 is undecided
This indicates that vim was never requested and no dependency chain pulls it in. Compare this with a package that is actually present:
$ apt why-not nano
Output:
nano:amd64 is actually marked for install
Here APT tells you that nano is in fact installed, so there is nothing preventing its presence.
PRACTICAL USE
These commands are particularly useful when troubleshooting upgrade scenarios where APT unexpectedly removes or holds back a package. Running apt why-not packagename during a dist-upgrade simulation can reveal which conflict or dependency prevented installation.
Repository Filtering with Include and Exclude
APT 3.1 adds two new source-file options, Include and Exclude, that let you control which packages APT considers from a given repository. This is especially valuable when you use third-party repositories but want to limit their scope to specific packages.
How It Works
You add the Include or Exclude directive directly inside a DEB822 .sources file entry. For example, to allow only the docker-ce and docker-ce-cli packages from a Docker repository:
Types: deb URIs: https://download.docker.com/linux/ubuntu Suites: resolute Components: stable Signed-By: /etc/apt/keyrings/docker.gpg Include: docker-ce docker-ce-cli
Alternatively, you can use Exclude to block specific packages while allowing everything else from a repository:
Types: deb URIs: https://example.com/repo Suites: resolute Components: main Signed-By: /etc/apt/keyrings/example.gpg Exclude: unwanted-package problematic-lib
This feature provides a cleaner alternative to complex APT pinning rules when you simply want to allowlist or denylist packages at the repository level. Previously, achieving similar results required writing /etc/apt/preferences.d/ pin files with priority manipulation, which was both error-prone and harder to maintain.
DEB822 Source Format Is Now the Default
While not exclusive to APT 3.1, Ubuntu 26.04 fully embraces the DEB822 .sources format as the default for repository configuration. A fresh installation no longer creates /etc/apt/sources.list; instead, repositories are defined in /etc/apt/sources.list.d/ubuntu.sources:
$ cat /etc/apt/sources.list.d/ubuntu.sources
Types: deb URIs: http://au.archive.ubuntu.com/ubuntu/ Suites: resolute resolute-updates resolute-backports Components: main restricted universe multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg Types: deb URIs: http://security.ubuntu.com/ubuntu/ Suites: resolute-security Components: main restricted universe multiverse Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
The DEB822 format offers several advantages over the legacy one-line deb format. Each repository entry is a structured block with clearly labeled fields, making it easier to read and edit. The Signed-By field directly ties each repository to its specific signing key rather than relying on a global trust store, which improves security. Additionally, the new Include and Exclude options discussed earlier only work within the DEB822 format.
LEGACY FORMAT
If you have custom repositories still defined in the old sources.list one-line format, they will continue to work. However, newly added repositories should use the DEB822 format in /etc/apt/sources.list.d/ with a .sources extension to take advantage of per-repository key binding and the new filtering options.
Key and Cryptographic Policy Changes
APT 3.1 tightens its approach to repository signing in two important ways that administrators managing third-party repositories on Ubuntu 26.04 need to be aware of.
Keyring Filename Restrictions
Files stored in /etc/apt/trusted.gpg.d/ must now follow run-parts-style naming rules. The allowed characters in filenames are limited to:
a-z,A-Z,0-9,_(underscore),-(hyphen),:(colon).(dot) only when an extension is needed
Previously, APT used a find-based approach to enumerate key files that matched *.gpg or *.asc patterns regardless of other characters in the filename. The newer directory enumeration routine is stricter. If you have key files with characters outside the allowed set (the @ symbol is a commonly reported offender), signature verification will fail during apt update even though the key material itself is valid. The fix is straightforward: rename the file to use only compliant characters.
On a clean Ubuntu 26.04 installation, the trusted.gpg.d directory contains only the standard Ubuntu keyrings:
$ ls -la /etc/apt/trusted.gpg.d/ -rw-r--r-- 1 root root 1165 Nov 28 2023 ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1167 Nov 28 2023 ubuntu-keyring-2018-archive.gpg
However, the recommended approach for third-party repositories is to store keys in /etc/apt/keyrings/ and reference them via the Signed-By field in DEB822 entries, rather than relying on the global trusted.gpg.d directory.
Cryptographic Algorithm Cutoffs
APT 3.1 enforces a tiered cryptographic policy aligned with the Sequoia project. You can see the three policy levels in the APT configuration:
$ apt-config dump | grep Assert-Pubkey-Algo
APT::Key::Assert-Pubkey-Algo ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"; APT::Key::Assert-Pubkey-Algo::Next ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"; APT::Key::Assert-Pubkey-Algo::Future ">=rsa3072,ed25519,ed448";
The current policy accepts a broad range of algorithms including RSA 2048+, Ed25519, and various elliptic curves. The Next tier narrows the set by dropping Brainpool and secp256k1 curves. The Future tier raises the RSA minimum to 3072 bits and only accepts Ed25519/Ed448 for elliptic-curve keys.
APT will warn about signatures that are going to be rejected within the next year when the policy transitions to the next tier. For administrators running third-party repositories, this means:
- DSA keys are already rejected.
- RSA keys smaller than 2048 bits are already rejected.
- Repositories signed with RSA 2048 keys will eventually need to upgrade to 3072-bit or stronger keys.
SECURITY ALERT
If you see warnings during apt update about weak signatures, contact the repository maintainer. These warnings indicate the signing key will stop working when APT transitions to the next policy tier. Do not ignore these warnings on production systems.
Conclusion
APT 3.1.16 on Ubuntu 26.04 brings meaningful improvements to the daily experience of APT package management. The solver3 default delivers faster and more predictable dependency resolution, while apt why and apt why-not give you visibility into decisions that were previously opaque. Repository filtering with Include and Exclude simplifies what used to require complex pinning rules, and the DEB822 source format ties everything together with per-repository key binding. If you manage PPAs or third-party repositories, pay close attention to the keyring filename restrictions and cryptographic policy tiers to avoid unexpected verification failures during upgrades.
Frequently Asked Questions
- What version of APT does Ubuntu 26.04 ship? Ubuntu 26.04 ships APT 3.1.16, which is a direct Debian sync with no Ubuntu-specific suffix. This version was published into the resolute release pocket on 2026-02-20.
- Is solver3 the default on Ubuntu 26.04? Yes. Ubuntu 26.04 enables the “3.0 solver” (solver3) by default for all
aptCLI operations. This is a vendor-specific default; Debian may use a different solver default depending on the release. You can verify this by runningapt-config dump | grep -i solver. - Can I revert to the classic APT solver? Yes. Append
--solver internalto anyaptcommand to bypass solver3 and use the classic dependency resolver for that operation. Additionally, if solver3 fails to find a solution, APT automatically falls back to the classic solver. - What do the apt why and apt why-not commands do? These new diagnostic commands trace the solver’s decision about a specific package.
apt why bashshows whybashis selected for installation, whileapt why-not vimexplains whyvimis not being installed. They are useful for debugging unexpected package removals or hold-backs during upgrades. - Will my old sources.list file still work on Ubuntu 26.04? Yes. The legacy one-line
debformat is still supported. However, a fresh Ubuntu 26.04 installation uses the DEB822.sourcesformat by default, and new features likeInclude/Excludefiltering only work in DEB822 entries. - Why does apt update fail after upgrading to Ubuntu 26.04 with third-party repositories? The most likely cause is a keyring file in
/etc/apt/trusted.gpg.d/that contains characters not permitted under the new run-parts naming rules (such as@). Rename the file to use only letters, digits, underscores, hyphens, and colons. Better yet, move the key to/etc/apt/keyrings/and reference it withSigned-Byin a DEB822 source entry.